Welcome to the resource topic for 2005/189
Title:
A Weak-Randomizer Attack on RSA-OAEP with e = 3
Authors: Daniel R. L. Brown
Abstract:Coppersmith’s heuristic algorithm for finding small roots of
bivariate modular equations can be applied against low-exponent
RSA-OAEP if its randomizer is weak. An adversary that knows the
randomizer can recover the entire plaintext message, provided it is
short enough for Coppersmith’s algorithm to work. In practice,
messages are symmetric cipher keys and these are potentially short
enough for certain sets of key sizes. Weak randomizers could arise
in constrained smart cards or in kleptographic implementations.
Because RSA’s major use is transporting symmetric keys, this attack
is a potential concern. In this respect, OAEP’s design is more
fragile than necessary, because a secure randomizer is critical to
prevent a total loss of secrecy, not just a loss of semantic
security or chosen-ciphertext security. Countermeasures and more
robust designs that have little extra performance cost are proposed
and discussed.
ePrint: https://eprint.iacr.org/2005/189
See all topics related to this paper.
Feel free to post resources that are related to this paper below.
Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.
For more information, see the rules for Resource Topics .